Can you scan the entire internet with over 8 billion devices connected to it? In the event of a newly found major security bug, researchers have to. Being able to scan the entire internet in a short time can document the amount of devices that are vulnerable to that exploit to help mitigate and alert users of the vulnerability.
So how is this accomplished?
Most researchers use Masscan to conduct these large scale scans. Before this tool, they had to rely on the famous port scanner, Nmap. That meant it could take over two months to finish this type of intensive scan. The power of Masscan is an entire scan can take minutes to perform with the right environment, transmitting close to 10 million packets per second. It sends a single SYN packet to each address in its scan which means it doesn’t have the overhead of a complete TCP handshake or keep any addresses in memory.
Masscan boasts :
- Similar IO to Nmap
- Uses asynchronous transmissions
- Uses its own custom TCP/IP stack
Masscan installation
Installing on Linux and MacOS is trivial.
Linux
# download dependencies
sudo apt-get install git gcc make libpcap-dev
# pull project from git
git clone https://github.com/robertdavidgraham/masscan
# enter directory and make
cd masscan
make
MacOS
# install homebrew
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
# install masscan with homebrew
homebrew install masscan
Windows
With Windows, the process is more involved and you will need Visual Studio 2015 to build.
Download the Github project in Powershell.
wget https://github.com/robertdavidgraham/masscan/archive/master.zip
Open up the SLN project file with Visual Studio at:
\masscan\vs10\masscan.sln
Then build the solution from Build menu in Visual Studio.
Requirements for the fastest scanning
The Masscan developers indicate that you will need an Intel 10-GBPS Ethernet adapter and the “PF_RING ZC” driver to achieve beyond 2 million packets/second.
To use “PF_RING” you will need to build the following with the install.
- libpfring.so
- pf_ring.ko
- ixgbe.ko
Scanning Options
To scan a simple private network.
masscan -p 80 10.0.0.0/24
This will:
- scan the 10.0.0.x subnet, all 255 addresses.
- scans for activity on port 80.
To scan with banner grabbing.
masscan 10.0.0.0/24 -p 80 --banners --source-ip 10.0.0.2
To scan for the Heartbleed Vulnerability.
masscan 10.0.0.0/24 -p 443 -s 10.0.0.2 --rate 100000 --heartbleed
Scan the entire internet for every open port.
masscan 0.0.0.0/0 -p0-65535
Tips for scanning
Scanning the entire internet is usually a bad idea. If this is something your research requires, it is advisable to let your ISP know what you are doing. Be up front with the research as your scanning campaigns will generate a lot of abuse complaints from networks that think someone is hacking into their network from your ISP’s network.
As abuse complaints come in you will have to create an exclude list to stop probing networks that don’t want probing, i.e. DoD. If your work is above board and you adhere to exclude lists your ISP will shield you from most complaints and they will explain your research activities in most cases.
You can exclude IP addresses in your scans with an exclude file.
masscan 0.0.0.0/0 -p0-65535 --excludefile exclude.txt
Lessons to be learned
Masscan shows just how small the internet really is and how easily it is to find potential victims. Although most of these scans are being performed by white hat researchers, nothing is stopping an attacker from setting up an anonymous Virtual Private Server to run vulnerability scans until they get shutdown by their hosting platform. This is why it is so important to do updates on your systems regularly and keep as much of your infrastructure kept locked down.
Comments are closed, but trackbacks and pingbacks are open.